However, even if we assume that Red Pike will be replaced by something better
in 2002 (and that this can be done without undue expense or disruption to
fielded systems), it still does not follow that 64 bit keys are adequate to
protect medical traffic today. The reason for this is that some of today's
messages must be protected for a long time.

According to Moore's law, computing capability doubles every eighteen months.
Thus the extra eight bits of protection afforded by using 64 bit rather than 56
bit keys translates into an extra twelve years of protection. Otherwise put,
the capabilities of individuals lag slightly more than a decade behind those of
governments; and if governments can already find 64 bit keys today, then
individual attackers will be in the same position in 2010 at the latest.

But how long does medical data need to be protected?

Consider the effects of a revelation being made today that a senior Cabinet
Minister had been treated for venereal disease while a teenager. This could
clearly do harm, and clinicians seek to protect patients from such harm where
practical. The timespan of protection required could, in such cases, be about
a human lifespan -- say 70 years. (It could be even longer in the case of
genetic information.)

This translates into key lengths in the range of 112 bits (as offered by the
standard variant of triple DES) through to 128 bits (as offered by algorithms
such as WAKE, SAFER SK-128 and RC4).

A similar argument to the above can be found in a standard textbook on
cryptography [77], which recommends a key length of 128 bits for
personal information.